US7725922B2 - System and method for using sandboxes in a managed shell - Google Patents

System and method for using sandboxes in a managed shell Download PDF

Info

Publication number
US7725922B2
US7725922B2 US11384264 US38426406A US7725922B2 US 7725922 B2 US7725922 B2 US 7725922B2 US 11384264 US11384264 US 11384264 US 38426406 A US38426406 A US 38426406A US 7725922 B2 US7725922 B2 US 7725922B2
Authority
US
Grant status
Grant
Patent type
Prior art keywords
shell
script
tool
sandbox
security policies
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US11384264
Other versions
US20070226773A1 (en )
Inventor
Sebastien Pouliot
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Oracle International Corp
Original Assignee
Micro Focus Software Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Abstract

The present invention allows shell program to be managed with security policies and enforced using sandboxes enforced by the security manager of a managed environment. The additional security policies may come from shell tool specific security policies, application specific security policies, resource based security policies, shell based policies, owner based policies, user based policies and/or other types of policies. Security policies may be merged to provide a managed shell more permission granularity in addition to existing machine policies.

Description

FIELD OF INVENTION

The invention is a system and method for executing a managed shell program and more particularly dynamically creating a sandbox environment for implementing security policies for the secure execution of shell tools and resources.

BACKGROUND

Shell programs are commonly known in the art as a way of commanding a computer to execute certain actions. Shell programs may be graphical or text based. Shell tools may include the actual shell commands like list (ls), move (mv), and remove (rm), among others. A shell script may be a series of shell commands stored in a file and executed until the end of the file is reached. Shell commands can access critical resources within a computer. Current shell security uses the security offered by the operating system of the computer, which is mostly user identity-based (e.g. user A can access the file B, while user C cannot).

With the proliferation of downloading programs, scripts, and other data from the Internet or third party sources, there is a need for limiting access to internal computer resources from potentially malicious downloads. An operating system security based on user identity is not enough because a user may unknowingly execute malicious codes and/or scripts. This is a drawback because a program is executed in the security context of its user, therefore, the program has all the permissions associated with the user identity (e.g. user A execute program X which maliciously access file B).

SUMMARY

Various aspects of the invention overcome at least some of these and other drawbacks of known systems. According to one object of the invention, an operating system may execute a shell script in a managed environment (e.g., a Java or ECMA virtual machine) and then by recognizing one or more shell tools; identifying one or more security policies related to the one or more shell tools; and dynamically creating a sandbox for enforcing the identified security policies to the managed shell during execution. Security policies may come from tool specific security policies, application specific security policies, resource based security policies, shell based policies, owner based policies, user based policies and/or other types of policies. The one or more security policies adds permissions granularity to a managed shell.

The invention provides security by creating a sandbox for a command or script to be executed using a managed shell. The security manager of the managed environment will enforce the security policy established, from different sources, by the managed shell. A sandbox is an isolated execution environment and safe place for running semi-trusted programs or scripts, often originating from a third party. It is a restricted environment in which certain functions are prohibited. Security policies can additionally limit the kind of actions performed during execution within a sandbox. For example, deleting files and modifying system information such as registry settings and other control panel functions may be prohibited within a sandbox. This allows security policies to be enforced for application and application resources that are not being executed.

According to another object of the invention, a managed shell execution may include identifying the managed shell security policy; recognizing one or more of the shell tools during runtime; recognizing one or more custom permissions of the managed shell; identifying a shell tool security policy for each of the one or more recognized shell tools; and merging the one or more identified shell tool security policies and the identified managed shell security policy and the one or more identified custom permissions; and enforcing the merged policies in a dynamically created sandbox execution. Two or more different security policies may be merged with one or more permissions and enforced during execution in the sandbox.

These objects increase the security on the actions that may be performed by a shell scripts or programs originating from various unknown sources. These and other objects, features and advantages of the invention will be apparent through the detailed description of the embodiments and the drawings attached hereto. It is also to be understood that both the foregoing general description and the following detailed description are exemplary and not restrictive of the scope of the invention.

DESCRIPTION OF DRAWINGS

FIG. 1 is a high-level block diagram of a system, according to one embodiment of the invention.

FIG. 2 is a flow chart for a method for creating a sandbox, according to one embodiment of the invention.

FIG. 3 is a block diagram for a managed shell, according to one embodiment of the invention.

DETAILED DESCRIPTION

One aspect of the invention is based on a shell executed under a managed environment 18. This managed shell can dynamically create sandboxed environments before the execution of shell commands or scripts. The sandboxes are configured to support one or more security policies that may be enforced by a security manager 20.

FIG. 1 illustrates a system, according to one embodiment of invention. A computer 10 may include an operating system 12, conventionally known in the art. One or more shell scripts (or programs) may be present on a computer 10. Shell scripts (14, 16) may be downloaded to a computer directory from a third party source 34 through a network connection 32. Other sources may be included (e.g., hard disk, CD, drive storage). The origin of the scripts and program is part of a code identity and may affect how the security manager resolves the security policy. Thus, shell scripts on a computer may originate from various sources that may be secure, un-secure, or semi-secure. Additionally, shell scripts may be programmed in limitless ways to add features to existing application (e.g., automate repetitive tasks) and to create new functions. Many shell scripts may be executed simultaneously. Shell scripts may run as a background process while other applications are running on a computer. For example, a shell script may be programmed to indicate when a hard drive memory falls below a user indicated threshold.

A managed environment 18 may be used for executing shell scripts as a managed shell. A security manager 20 may identify and enforce various security parameters within a dynamically created sandboxed environment. Security parameters may be stored as one or more security policies 22 maintained locally at computer 10 (or remotely at another location). In addition to existing operating system security policies (e.g., user-based identity), additional permissions and policies may be enforced within a managed shell sandbox. Security policy may include one or more permissions for enforcing security parameters. Security permissions may determine what actions can and cannot be performed. A security policy may be created for various objects including, but not limited to, shell tool specific security policies, application specific security policies, resource based security policies, shell based policies, owner based policies, user based policies and/or other types of policies. During execution within a managed shell, a shell script may request access to a resource in order to perform the commands within the script. Resources 24 may include files 26, directories 28, processes 30, and/or other resources. A security manager 20 can enforce the security policy related to a requested resource.

In one aspect, the system can apply more kinds of permissions (e.g., code identity, resources based security) and more permission granularity in addition to the existing, user identity based, security found in current shells. A managed shell may include recognizing the shell commands (e.g., shell tools) as separate entities that have their own security policies. Tool policies are merged with the shells own policies before executing the tools. This way the managed tools themselves can limit the kind of actions they can perform (e.g., a ‘rm’ command that never deletes backup files). Ever further, a managed shell may recognize the resources (e.g., files, directories, process) and the owners (e.g., applications, users) as separate entities that can also have their own security policies (e.g. only an administrator can delete the backup file).

A managed shell may dynamically create sandboxes based on the tools and resources being requested before launching the execution. This is unlike normal application, even managed application. The shell sandboxes may be supplied with information, for example, the requested tools and resources, and the granted/refused permission sets.

FIG. 2 discloses a method for executing a managed shell according to one aspect of the invention. A shell script may be launched automatically without user's knowledge or manually with user initiation. A managed shell may be created at runtime (operation 50) for securely running a shell script (or program). The managed shell may execute managed tools, unmanaged tools, and custom permissions. Managed tools can include general shell tools (e.g. ls, rm, cp, mv), specific application tools (e.g., configuration tools restricted to super users, backup and restore tools), code assemblies and/or other resources. This may allow security policies that are not overly complex or descriptive. For example, a shell could deny access to write to a file if the owning application is currently running.

Unmanaged tools may not have security policies, rather they may be executed if the security policy explicitly allows for it, but once executed a managed shell may not guarantee how the unmanaged code will act.

Custom permissions are managed code libraries that are invoked by the security manager 20 before granting access to a resource. This type of permission may execute specific code to check for more advanced and/or specialized permissions (e.g., application or resource specific permission). For example, custom permissions could do time-based checks to allow or deny certain operations.

Managed tools, unmanaged tools, and/or custom permissions may be identified at runtime (operation 52). Security policies for managed tools may be identified along with security decisions to be made with regard to unmanaged tools (operation 54). Based on the evidences of the tools (e.g., code identity, source, requested permission) and the specified resources, one or more sandboxes may be dynamically created for one or more managed tools and unmanaged tools in order to apply the identified security policies, decisions and permissions as a merged set of rules to be enforced within the one or more sandboxes (operation 56 and 58). The managed shell may be executed according to the merged set of security policies within the one or more sandboxes (operation 60). The creation of sandboxes allows shells to be executed without security risks to other processes and resources of the system. It is possible to create a sandbox inside another sandbox to further restrict the permissions granted on a sub-script (e.g. a trusted script calling another less-trusted script).

One aspect of the invention uniquely addresses the use of multiple sandboxes in a managed shell where commands and resources may be subject to a security manager. This allows application specific security policies to apply for shell commands and also to have shell commands specific security policies while still allowing the “normal” (e.g., user, machine and enterprise security policies) security policies to be applied.

Advanced shell security may be implemented based on the knowledge the shell has of the resources it accesses. This allows security policies to be applied to the resources the shell accesses as well as to managed code. This extends the usage of the security manager 20 by giving it greater awareness during execution. This may also allow managed shell to provide remote and controlled access to a shell (e.g., a script may be sent to another computer to be executed).

FIG. 3 is a block diagram that further illustrates a managed shell and shell sandbox according to one aspect of the invention. At runtime a shell script (or program) may be executed by a managed shell 70. Various objects are used for the execution of the shell including, but not limited to, shell tools 74, custom permissions 80, application resources 82, and security policies 84. Managed shell may include the use of shell tools 74 including managed tools 76 and unmanaged tools 78, during shell execution. One or more shell sandboxes 72 may be created (e.g., a shell script calling another script) for the one or more managed and unmanaged tools. Instances of security policies 84 may be used in the shell sandbox. The security policy instances may relate to managed tools and requested resources 82 of the managed shell. Custom permissions for a managed shell may be specified for use within the shell sandbox. The combination of security policies from the various aspects of shell execution provides a secure execution that goes beyond the conventional operation system security by dynamically creating a secure execution environment in the form or a sandbox having security policies.

In the foregoing specification, the invention has been described with reference to specific embodiments thereof. Various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.

Claims (20)

1. A method for using sandboxes in a managed shell, comprising:
creating a managed environment for executing a shell script on a computer;
executing the shell script in the managed environment on one or more processors associated with the computer, wherein the managed environment includes a first sandbox configured to enforce one or more security policies for the shell script during runtime execution of the shell script in the managed environment;
recognizing at least one shell tool that the shell script requests during the runtime execution in the managed environment, wherein a security manager recognizes the shell tool as an entity separate from the shell script that has one or more additional security policies separate from the one or more security policies for the shell script;
identifying the additional security policies for the recognized shell tool requested by the shell script during the runtime execution in the managed environment;
dynamically creating a second sandbox inside the first sandbox in response to recognizing the at least one shell tool requested by the shell script during the run time execution in the managed environment, wherein the second sandbox is configured to enforce the additional security policies identified for the requested shell tool;
merging the one or more security policies for the shell script with the additional security policies identified for the requested shell tool; and
executing the requested shell tool in the managed environment, wherein the managed environment is configured to use the first sandbox and the second sandbox to enforce the merged security policies for the shell script and the requested shell tool.
2. The method of claim 1, wherein the requested shell tool includes a managed shell tool having the additional security policies.
3. The method of claim 2, wherein the managed environment is further configured to enforce the security policies for the shell script and the additional security policies for the managed shell tool in response to the shell script requesting the managed shell tool during the runtime execution in the managed environment.
4. The method of claim 1, further comprising dynamically creating a third sandbox inside the first sandbox in response to recognizing at least one unmanaged shell tool requested by the shell script during the runtime execution in the managed environment, wherein the managed environment is further configured to enforce the security policies for the shell script for the unmanaged shell tool in response to the shell script requesting the unmanaged shell tool during the runtime execution in the managed environment.
5. The method of claim 1, wherein the requested shell tool includes a sub-script that the shell script requests to execute during the runtime execution in the managed environment.
6. The method of claim 1, wherein the requested shell tool includes a resource that the shell script requests access to during the runtime execution in the managed environment.
7. The method of claim 1, wherein the managed environment is further configured to enforce the merged security policies for the shell script and the requested shell tool based on whether the shell script and the requested shell tool originate from a secure source, an un-secure source, or a semi-secure source.
8. The method of claim 1, wherein the merged security policies each include one or more security permissions or security parameters that restrict one or more actions that one or more of the shell script or the shell tool request during the runtime execution in the managed environment.
9. The method of claim 1, wherein the security manager dynamically creates the second sandbox inside the first sandbox prior to executing the requested shell tool in the managed environment.
10. The method of claim 1, further comprising supplying the first sandbox and the second sandbox with one or more granted permission sets and one or more refused permission sets, wherein the first sandbox and the second sandbox use the granted permission sets and the refused permission sets to enforce the merged security policies for the shell script and the requested shell tool.
11. A system for using sandboxes in a managed shell, comprising:
a computer configured to download a shell script through a network connection;
a managed environment configured to execute the downloaded shell script on the computer, wherein the managed environment includes a first sandbox configured to enforce one or more security policies for the shell script during runtime execution of the shell script in the managed environment; and
a security manager configured to:
recognize at least one shell tool that the shell script requests during the runtime execution in the managed environment, wherein the security manager recognizes the shell tool as an entity separate from the shell script that has one or more additional security policies separate from the one or more security policies for the shell script;
identify the additional security policies for the recognized shell tool requested by the shell script during the runtime execution in the managed environment;
dynamically create a second sandbox inside the first sandbox in response to recognizing the at least one shell tool requested by the shell script during the runtime execution in the managed environment, wherein the second sandbox is configured to enforce the additional security policies identified for the requested shell tool;
merge the one or more security policies for the shell script with the additional security policies identified for the requested shell tool; and
execute the requested shell tool in the managed environment, wherein the managed environment is further configured to use the first sandbox and the second sandbox to enforce the merged security policies for the shell script and the requested shell tool.
12. The system of claim 11, wherein the requested shell tool includes a managed shell tool having the additional security policies.
13. The system of claim 12, wherein the managed environment is further configured to enforce the security policies for the shell script and the additional security policies for the managed shell tool in response to the shell script requesting the managed shell tool during the runtime execution in the managed environment.
14. The system of claim 11, wherein the security manager is further configured to dynamically create a third sandbox inside the first sandbox in response to recognizing at least one unmanaged shell tool requested by the shell script during the runtime execution in the managed environment, wherein the managed environment is further configured to enforce the security policies for the shell script for the unmanaged shell tool in response to the shell script requesting the unmanaged shell tool during the runtime execution in the managed environment.
15. The system of claim 11, wherein the requested shell tool includes a sub-script that the shell script requests to execute during the runtime execution in the managed environment.
16. The system of claim 11, wherein the requested shell tool includes a resource that the shell script requests access to during the runtime execution in the managed environment.
17. The system of claim 11, wherein the managed environment is further configured to enforce the merged security policies for the shell script and the requested shell tool based on whether the shell script and the requested shell tool originate from a secure source, an un-secure source, or a semi-secure source.
18. The system of claim 11, wherein the merged security policies each include one or more security permissions or security parameters that restrict one or more actions that one or more of the shell script or the shell tool request during the runtime execution in the managed environment.
19. The system of claim 11, wherein the security manager is further configured to dynamically create the second sandbox inside the first sandbox prior to executing the requested shell tool in the managed environment.
20. The system of claim 11, wherein the security manager is further configured to supply the first sandbox and the second sandbox with one or more granted permission sets and one or more refused permission sets, wherein the first sandbox and the second sandbox use the granted permission sets and the refused permission sets to enforce the merged security policies for the shell script and the requested shell tool.
US11384264 2006-03-21 2006-03-21 System and method for using sandboxes in a managed shell Active 2028-08-10 US7725922B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11384264 US7725922B2 (en) 2006-03-21 2006-03-21 System and method for using sandboxes in a managed shell

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11384264 US7725922B2 (en) 2006-03-21 2006-03-21 System and method for using sandboxes in a managed shell

Publications (2)

Publication Number Publication Date
US20070226773A1 true US20070226773A1 (en) 2007-09-27
US7725922B2 true US7725922B2 (en) 2010-05-25

Family

ID=38535178

Family Applications (1)

Application Number Title Priority Date Filing Date
US11384264 Active 2028-08-10 US7725922B2 (en) 2006-03-21 2006-03-21 System and method for using sandboxes in a managed shell

Country Status (1)

Country Link
US (1) US7725922B2 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080046961A1 (en) * 2006-08-11 2008-02-21 Novell, Inc. System and method for network permissions evaluation
US7823186B2 (en) 2006-08-24 2010-10-26 Novell, Inc. System and method for applying security policies on multiple assembly caches
US20120030272A1 (en) * 2010-07-27 2012-02-02 International Business Machines Corporation Uploading and Executing Command Line Scripts
WO2012082524A1 (en) * 2010-12-16 2012-06-21 Microsoft Corporation Security sandbox
CN102902920A (en) * 2012-09-13 2013-01-30 西北工业大学 Method and system for access safety detection and isolation of virtualized user
US20140223426A1 (en) * 2011-10-06 2014-08-07 Thales Method of generating, from an initial package file comprising an application to be secured and an initial configuration file, a package file for securing the application, and associated computer program product and computing device
US20150143375A1 (en) * 2013-11-18 2015-05-21 Unisys Corporation Transaction execution in systems without transaction support
US9165136B1 (en) * 2010-10-27 2015-10-20 Amazon Technologies, Inc. Supervising execution of untrusted code
US9766981B2 (en) 2014-06-10 2017-09-19 Institute For Information Industry Synchronization apparatus, method, and non-transitory computer readable storage medium

Families Citing this family (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9280662B2 (en) * 2006-04-21 2016-03-08 Hewlett Packard Enterprise Development Lp Automatic isolation of misbehaving processes on a computer system
US8677141B2 (en) * 2007-11-23 2014-03-18 Microsoft Corporation Enhanced security and performance of web applications
US8356303B2 (en) * 2007-12-10 2013-01-15 Infosys Technologies Ltd. Method and system for integrated scheduling and replication in a grid computing system
US8627342B2 (en) * 2008-01-31 2014-01-07 Paul Michael Tapper Multi-machine shell
US8261342B2 (en) * 2008-08-20 2012-09-04 Reliant Security Payment card industry (PCI) compliant architecture and associated methodology of managing a service infrastructure
US8745361B2 (en) 2008-12-02 2014-06-03 Microsoft Corporation Sandboxed execution of plug-ins
US20100162240A1 (en) * 2008-12-23 2010-06-24 Samsung Electronics Co., Ltd. Consistent security enforcement for safer computing systems
EP2387765B1 (en) 2009-01-19 2018-05-23 Koninklijke Philips N.V. Browser with dual scripting engine for privacy protection
US8627451B2 (en) * 2009-08-21 2014-01-07 Red Hat, Inc. Systems and methods for providing an isolated execution environment for accessing untrusted content
US8479286B2 (en) * 2009-12-15 2013-07-02 Mcafee, Inc. Systems and methods for behavioral sandboxing
US9684785B2 (en) * 2009-12-17 2017-06-20 Red Hat, Inc. Providing multiple isolated execution environments for securely accessing untrusted content
EP2558923A4 (en) * 2010-04-12 2014-11-19 Google Inc Extension framework for input method editor
US9027151B2 (en) * 2011-02-17 2015-05-05 Red Hat, Inc. Inhibiting denial-of-service attacks using group controls
US8806570B2 (en) 2011-10-11 2014-08-12 Citrix Systems, Inc. Policy-based application management
US8886925B2 (en) 2011-10-11 2014-11-11 Citrix Systems, Inc. Protecting enterprise data through policy-based encryption of message attachments
US20140032733A1 (en) 2011-10-11 2014-01-30 Citrix Systems, Inc. Policy-Based Application Management
US20140053234A1 (en) 2011-10-11 2014-02-20 Citrix Systems, Inc. Policy-Based Application Management
WO2013082437A1 (en) 2011-12-02 2013-06-06 Invincia, Inc. Methods and apparatus for control and detection of malicious content using a sandbox environment
WO2013151454A1 (en) * 2012-04-06 2013-10-10 Google Inc. Hosted application sandboxing
GB2501469B (en) 2012-04-16 2014-07-09 Avecto Ltd Method and computer device for handling COM objects
US8745755B2 (en) 2012-10-12 2014-06-03 Citrix Systems, Inc. Controlling device access to enterprise resources in an orchestration framework for connected devices
US9774658B2 (en) 2012-10-12 2017-09-26 Citrix Systems, Inc. Orchestration framework for connected devices
US9516022B2 (en) 2012-10-14 2016-12-06 Getgo, Inc. Automated meeting room
US20140109171A1 (en) 2012-10-15 2014-04-17 Citrix Systems, Inc. Providing Virtualized Private Network tunnels
US20140109176A1 (en) 2012-10-15 2014-04-17 Citrix Systems, Inc. Configuring and providing profiles that manage execution of mobile applications
US8910239B2 (en) 2012-10-15 2014-12-09 Citrix Systems, Inc. Providing virtualized private network tunnels
US9971585B2 (en) 2012-10-16 2018-05-15 Citrix Systems, Inc. Wrapping unmanaged applications on a mobile device
US20140108793A1 (en) 2012-10-16 2014-04-17 Citrix Systems, Inc. Controlling mobile device access to secure data
US9606774B2 (en) 2012-10-16 2017-03-28 Citrix Systems, Inc. Wrapping an application with field-programmable business logic
US9069766B2 (en) * 2012-11-02 2015-06-30 Microsoft Technology Licensing, Llc Content-based isolation for computing device security
US9003479B2 (en) * 2012-12-11 2015-04-07 International Business Machines Corporation Uniformly transforming the characteristics of a production environment
US9215225B2 (en) 2013-03-29 2015-12-15 Citrix Systems, Inc. Mobile device locking with context
US8910264B2 (en) 2013-03-29 2014-12-09 Citrix Systems, Inc. Providing mobile device management functionalities
US9280377B2 (en) 2013-03-29 2016-03-08 Citrix Systems, Inc. Application with multiple operation modes
US9355223B2 (en) 2013-03-29 2016-05-31 Citrix Systems, Inc. Providing a managed browser
US8850049B1 (en) 2013-03-29 2014-09-30 Citrix Systems, Inc. Providing mobile device management functionalities for a managed browser
US9413736B2 (en) 2013-03-29 2016-08-09 Citrix Systems, Inc. Providing an enterprise application store
US9985850B2 (en) 2013-03-29 2018-05-29 Citrix Systems, Inc. Providing mobile device management functionalities
US8813179B1 (en) 2013-03-29 2014-08-19 Citrix Systems, Inc. Providing mobile device management functionalities
US9349000B2 (en) * 2014-01-27 2016-05-24 Microsoft Technology Licensing, Llc Web service sandbox system

Citations (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5452457A (en) 1993-01-29 1995-09-19 International Business Machines Corporation Program construct and methods/systems for optimizing assembled code for execution
US6071316A (en) 1997-09-29 2000-06-06 Honeywell Inc. Automated validation and verification of computer software
US6230312B1 (en) 1998-10-02 2001-05-08 Microsoft Corporation Automatic detection of per-unit location constraints
US6282701B1 (en) 1997-07-31 2001-08-28 Mutek Solutions, Ltd. System and method for monitoring and analyzing the execution of computer programs
US6308275B1 (en) * 1998-07-10 2001-10-23 At Home Corporation Web host providing for secure execution of CGI programs and method of doing the same
US20020042897A1 (en) 2000-09-29 2002-04-11 Tanisys Technology Inc. Method and system for distributed testing of electronic devices
US20020069200A1 (en) 2000-01-07 2002-06-06 Geoffrey Cooper Efficient evaluation of rules
US20020198675A1 (en) 2001-03-23 2002-12-26 Mark Underseth System and method for generating data sets for testing embedded systems
US20030041267A1 (en) * 2000-06-21 2003-02-27 Microsoft Corporation Partial grant set evaluation from partial evidence in an evidence-based security policy manager
US20030065942A1 (en) 2001-09-28 2003-04-03 Lineman David J. Method and apparatus for actively managing security policies for users and computers in a network
US6560774B1 (en) 1999-09-01 2003-05-06 Microsoft Corporation Verifier to check intermediate language
US20030110192A1 (en) 2000-01-07 2003-06-12 Luis Valente PDstudio design system and method
US20030115484A1 (en) 1998-10-28 2003-06-19 Moriconi Mark S. System and method for incrementally distributing a security policy in a computer network
US6615264B1 (en) 1999-04-09 2003-09-02 Sun Microsystems, Inc. Method and apparatus for remotely administered authentication and access control
US20030177355A1 (en) 1997-11-27 2003-09-18 Doron Elgressy Method and system for enforcing a communication security policy
US20030196114A1 (en) * 2002-04-10 2003-10-16 International Business Machines Persistent access control of protected content
US20030225822A1 (en) * 2002-05-30 2003-12-04 Microsoft Corporation Unbounded computing space
US20040103323A1 (en) 2002-11-21 2004-05-27 Honeywell International Inc. Generic security infrastructure for COM based systems
US6802054B2 (en) 2000-08-10 2004-10-05 International Business Machines Corporation Generation of runtime execution traces of applications and associated problem determination
US20040250112A1 (en) 2000-01-07 2004-12-09 Valente Luis Filipe Pereira Declarative language for specifying a security policy
US6871284B2 (en) 2000-01-07 2005-03-22 Securify, Inc. Credential/condition assertion verification optimization
US20050071668A1 (en) 2003-09-30 2005-03-31 Yoon Jeonghee M. Method, apparatus and system for monitoring and verifying software during runtime
US20050172126A1 (en) 2004-02-03 2005-08-04 Microsoft Corporation Security requirement determination
US20050240999A1 (en) * 1997-11-06 2005-10-27 Moshe Rubin Method and system for adaptive rule-based content scanners for desktop computers
US20050262517A1 (en) 2004-05-21 2005-11-24 French Jeffrey K System and method for generating a web control in a Windows development environment
US6971091B1 (en) 2000-11-01 2005-11-29 International Business Machines Corporation System and method for adaptively optimizing program execution by sampling at selected program points
US20060064737A1 (en) 2004-09-07 2006-03-23 Wallace David R Security deployment system
US20060117299A1 (en) 2004-11-23 2006-06-01 International Business Machines Corporation Methods and apparatus for monitoring program execution
US7069554B1 (en) 1998-05-06 2006-06-27 Sun Microsystems, Inc. Component installer permitting interaction among isolated components in accordance with defined rules
US20060143396A1 (en) 2004-12-29 2006-06-29 Mason Cabot Method for programmer-controlled cache line eviction policy
US20060150021A1 (en) 2002-11-22 2006-07-06 Continental Teves Ag & Co. Ohg Device and method for analyzing embedded systems
US20060235655A1 (en) 2005-04-18 2006-10-19 Qing Richard X Method for monitoring function execution
US7487221B2 (en) * 2004-02-20 2009-02-03 Sony Corporation Network system, distributed processing method and information processing apparatus
US7512965B1 (en) 2000-04-19 2009-03-31 Hewlett-Packard Development Company, L.P. Computer system security service
US7552472B2 (en) 2002-12-19 2009-06-23 International Business Machines Corporation Developing and assuring policy documents through a process of refinement and classification

Patent Citations (36)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5452457A (en) 1993-01-29 1995-09-19 International Business Machines Corporation Program construct and methods/systems for optimizing assembled code for execution
US6282701B1 (en) 1997-07-31 2001-08-28 Mutek Solutions, Ltd. System and method for monitoring and analyzing the execution of computer programs
US6071316A (en) 1997-09-29 2000-06-06 Honeywell Inc. Automated validation and verification of computer software
US20050240999A1 (en) * 1997-11-06 2005-10-27 Moshe Rubin Method and system for adaptive rule-based content scanners for desktop computers
US20030177355A1 (en) 1997-11-27 2003-09-18 Doron Elgressy Method and system for enforcing a communication security policy
US7069554B1 (en) 1998-05-06 2006-06-27 Sun Microsystems, Inc. Component installer permitting interaction among isolated components in accordance with defined rules
US6308275B1 (en) * 1998-07-10 2001-10-23 At Home Corporation Web host providing for secure execution of CGI programs and method of doing the same
US6230312B1 (en) 1998-10-02 2001-05-08 Microsoft Corporation Automatic detection of per-unit location constraints
US20030115484A1 (en) 1998-10-28 2003-06-19 Moriconi Mark S. System and method for incrementally distributing a security policy in a computer network
US6615264B1 (en) 1999-04-09 2003-09-02 Sun Microsystems, Inc. Method and apparatus for remotely administered authentication and access control
US6560774B1 (en) 1999-09-01 2003-05-06 Microsoft Corporation Verifier to check intermediate language
US20040250112A1 (en) 2000-01-07 2004-12-09 Valente Luis Filipe Pereira Declarative language for specifying a security policy
US20030110192A1 (en) 2000-01-07 2003-06-12 Luis Valente PDstudio design system and method
US20020069200A1 (en) 2000-01-07 2002-06-06 Geoffrey Cooper Efficient evaluation of rules
US6871284B2 (en) 2000-01-07 2005-03-22 Securify, Inc. Credential/condition assertion verification optimization
US7512965B1 (en) 2000-04-19 2009-03-31 Hewlett-Packard Development Company, L.P. Computer system security service
US20030041267A1 (en) * 2000-06-21 2003-02-27 Microsoft Corporation Partial grant set evaluation from partial evidence in an evidence-based security policy manager
US6802054B2 (en) 2000-08-10 2004-10-05 International Business Machines Corporation Generation of runtime execution traces of applications and associated problem determination
US20020042897A1 (en) 2000-09-29 2002-04-11 Tanisys Technology Inc. Method and system for distributed testing of electronic devices
US6971091B1 (en) 2000-11-01 2005-11-29 International Business Machines Corporation System and method for adaptively optimizing program execution by sampling at selected program points
US20020198675A1 (en) 2001-03-23 2002-12-26 Mark Underseth System and method for generating data sets for testing embedded systems
US20030065942A1 (en) 2001-09-28 2003-04-03 Lineman David J. Method and apparatus for actively managing security policies for users and computers in a network
US20030196114A1 (en) * 2002-04-10 2003-10-16 International Business Machines Persistent access control of protected content
US20030225822A1 (en) * 2002-05-30 2003-12-04 Microsoft Corporation Unbounded computing space
US20040103323A1 (en) 2002-11-21 2004-05-27 Honeywell International Inc. Generic security infrastructure for COM based systems
US20060150021A1 (en) 2002-11-22 2006-07-06 Continental Teves Ag & Co. Ohg Device and method for analyzing embedded systems
US7552472B2 (en) 2002-12-19 2009-06-23 International Business Machines Corporation Developing and assuring policy documents through a process of refinement and classification
US20050071668A1 (en) 2003-09-30 2005-03-31 Yoon Jeonghee M. Method, apparatus and system for monitoring and verifying software during runtime
US20050172126A1 (en) 2004-02-03 2005-08-04 Microsoft Corporation Security requirement determination
US7487221B2 (en) * 2004-02-20 2009-02-03 Sony Corporation Network system, distributed processing method and information processing apparatus
US20050262517A1 (en) 2004-05-21 2005-11-24 French Jeffrey K System and method for generating a web control in a Windows development environment
US20060064737A1 (en) 2004-09-07 2006-03-23 Wallace David R Security deployment system
US20060117299A1 (en) 2004-11-23 2006-06-01 International Business Machines Corporation Methods and apparatus for monitoring program execution
US7620940B2 (en) 2004-11-23 2009-11-17 International Business Machines Corporation Methods and apparatus for monitoring program execution
US20060143396A1 (en) 2004-12-29 2006-06-29 Mason Cabot Method for programmer-controlled cache line eviction policy
US20060235655A1 (en) 2005-04-18 2006-10-19 Qing Richard X Method for monitoring function execution

Non-Patent Citations (16)

* Cited by examiner, † Cited by third party
Title
Alcazar, Mark, "Windows Presentation Foundation Security Sandbox", MSDN Library, Microsoft Corporation, printed from http://msdn.microsoft.com/library/en-us/dnlong/html/wpfsecuritysandbox.asp?frame=true, Sep. 2005, 9 pages.
Clark, Jason, "Return of the Rich Client-Code Access Security and Distribution Features in .NET Enhance Client-Side Apps", MSDN Magazine, printed from http://msdn.microsoft.com/msdnmag/issues/02/06/rich/default.aspx, Jun. 2002, 16 pages.
Clark, Jason, "Return of the Rich Client—Code Access Security and Distribution Features in .NET Enhance Client-Side Apps", MSDN Magazine, printed from http://msdn.microsoft.com/msdnmag/issues/02/06/rich/default.aspx, Jun. 2002, 16 pages.
Damianou, Nicodemos C., "A Policy Framework for Management of Distributed Systems", Thesis, Imperial College of Science, Technology and Medicine, University of London, Department of Computing, Feb. 2002, 233 pages.
Meier, J.D., et al., "How To: Perform a Security Code Review for Managed Code (Baseline Activity)", printed from http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000027.asp?frame=true, Microsoft Corporation, Oct. 2005, 13 pages.
Mono, "Assemblies and the GAC-How Mono Finds Assemblies", printed from http://www.mono-project.com/Assemblies-and-the-GAC, Jul. 20, 2005, 11 pages.
Mono, "Mono:Runtime-The Mono Runtime", printed from http://www.mono-project.com/Mono:Runtime, Jan. 24, 2006, 8 pages.
Mono, "Assemblies and the GAC—How Mono Finds Assemblies", printed from http://www.mono-project.com/Assemblies—and—the—GAC, Jul. 20, 2005, 11 pages.
Mono, "Mono:Runtime—The Mono Runtime", printed from http://www.mono-project.com/Mono:Runtime, Jan. 24, 2006, 8 pages.
Novell AppArmor Powered by Immunix 1.2 Installation and QuickStart Guide, Sep. 29, 2005, 18 pages.
Oaks, Scott, "Java Security, 2nd Edition", Publisher O'Reilly Media, Inc., May 17, 2001, 22 pages.
Sokolsky et al., "Steering of Real-Time Systems Based on Monitoring and Checking", Proceedings of the Fifth International Workshop, Nov. 18-20, 1999, pp. 11-18.
Sundmark et al., "Monitored Software Components - A Novel Software Engineering Approach", Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC'04), Nov. 30-Dec. 3, 2004, pp. 624-631.
Sundmark et al., "Monitored Software Components — A Novel Software Engineering Approach", Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC'04), Nov. 30-Dec. 3, 2004, pp. 624-631.
Zone Labs "Technical Support Tech Notes: Protection Against Advanced Firewall Bypass Techniques", printed from http://www.zonelabs.com/store/content/support/technote, Aug. 23, 2006, 3 pages.
Zone Labs "Zone Labs PASS Program" printed from http://www.zonelabs.com/store/company/partners/passFAZ.jsp, Aug. 23, 2006, 1 page.

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080046961A1 (en) * 2006-08-11 2008-02-21 Novell, Inc. System and method for network permissions evaluation
US7856654B2 (en) 2006-08-11 2010-12-21 Novell, Inc. System and method for network permissions evaluation
US7823186B2 (en) 2006-08-24 2010-10-26 Novell, Inc. System and method for applying security policies on multiple assembly caches
US20120030272A1 (en) * 2010-07-27 2012-02-02 International Business Machines Corporation Uploading and Executing Command Line Scripts
US8521808B2 (en) * 2010-07-27 2013-08-27 International Business Machines Corporation Uploading and executing command line scripts
US9165136B1 (en) * 2010-10-27 2015-10-20 Amazon Technologies, Inc. Supervising execution of untrusted code
WO2012082524A1 (en) * 2010-12-16 2012-06-21 Microsoft Corporation Security sandbox
US20140223426A1 (en) * 2011-10-06 2014-08-07 Thales Method of generating, from an initial package file comprising an application to be secured and an initial configuration file, a package file for securing the application, and associated computer program product and computing device
CN102902920A (en) * 2012-09-13 2013-01-30 西北工业大学 Method and system for access safety detection and isolation of virtualized user
US20150143375A1 (en) * 2013-11-18 2015-05-21 Unisys Corporation Transaction execution in systems without transaction support
US9766981B2 (en) 2014-06-10 2017-09-19 Institute For Information Industry Synchronization apparatus, method, and non-transitory computer readable storage medium

Also Published As

Publication number Publication date Type
US20070226773A1 (en) 2007-09-27 application

Similar Documents

Publication Publication Date Title
US7506170B2 (en) Method for secure access to multiple secure networks
US6317868B1 (en) Process for transparently enforcing protection domains and access control as well as auditing operations in software components
US7698744B2 (en) Secure system for allowing the execution of authorized computer program code
US20100122313A1 (en) Method and system for restricting file access in a computer system
US20050172126A1 (en) Security requirement determination
US20080263676A1 (en) System and method for protecting data information stored in storage
US20050091214A1 (en) Internal object protection from application programs
US7085928B1 (en) System and method for defending against malicious software
US20080256606A1 (en) Method and Apparatus for Privilege Management
US20050091535A1 (en) Application identity for software products
US20040230835A1 (en) Mechanism for evaluating security risks
US20080066177A1 (en) Methods, systems, and computer program products for implementing inter-process integrity serialization
US7506364B2 (en) Integrated access authorization
US20070011723A1 (en) Method for maintaining application compatibility within an application isolation policy
US20060090192A1 (en) Method and system for ensuring that computer programs are trustworthy
US20060075492A1 (en) Access authorization with anomaly detection
US20120185863A1 (en) Methods for restricting resources used by a program based on entitlements
US20110047613A1 (en) Systems and methods for providing an isolated execution environment for accessing untrusted content
US20060117063A1 (en) Method and system of applying policy on screened files
US7076557B1 (en) Applying a permission grant set to a call stack during runtime
US20070199068A1 (en) Managed control of processes including privilege escalation
US20060075462A1 (en) Access authorization having embedded policies
US8117441B2 (en) Integrating security protection tools with computer device integrity and privacy policy
US8042186B1 (en) System and method for detection of complex malware
US8099596B1 (en) System and method for malware protection using virtualization

Legal Events

Date Code Title Description
AS Assignment

Owner name: NOVELL, INC., UTAH

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:POULIOT, SEBASTIEN;REEL/FRAME:017522/0823

Effective date: 20060324

Owner name: NOVELL, INC.,UTAH

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:POULIOT, SEBASTIEN;REEL/FRAME:017522/0823

Effective date: 20060324

AS Assignment

Owner name: ORACLE INTERNATIONAL CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CPTN HOLDINGS LLC;REEL/FRAME:027787/0732

Effective date: 20110909

Owner name: CPTN HOLDINGS LLC, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NOVELL, INC.;REEL/FRAME:027787/0681

Effective date: 20110427

FPAY Fee payment

Year of fee payment: 4

MAFP

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552)

Year of fee payment: 8